Re: [XSM] Setting of ACM Policy

[Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>]

Hi Kuniyasu,

What is your default boot entry in grub menu?
XSM seems to set the policy ref (e.g. 
ssidref=0x00010001:ACM:mytest:SystemManagement)
and the 'module /<policy_name>.bin' in default entry.

But I recommend Stefan's advice and try to move to 3.3.0.

I am also having some local time issues when I tried to create HVM 
guests and it seems to be known bug, which has been fixed in 3.3.0.

I am planning to build 3.3.0 soon.

Regards,
Dilshan

Please CC to me if you're replying since I am only getting the digest


> Date: Tue, 02 Sep 2008 18:03:32 +0900 (JST)
> From: Kuniyasu Suzaki <k.suzaki@aist.go.jp>
> Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
> To: xen-devel@lists.xensource.com
> Message-ID: <20080902.180332.193697797.k.suzaki@aist.go.jp>
> Content-Type: Text/Plain; charset=us-ascii
>
>
> Stefan,
>
>  >>From: Stefan Berger <stefanb@us.ibm.com>
>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>
>  >>> Unforunately the setting is re-written by "DEFAULT policy" when xend
>  >>> is started.
>  >>> Can't we fix the policy at the boot time?
>  >>
>  >>I am not sure what you mean by 'fix the policy at the boot time?'.
>
> When I set up a policy at GRUB menu, the policy becomes immutably till shutdown.
> I don't want the policy to be changed by any commands.
>
> However "xend" and "xm" command change the policy easily on the current implementation. 
> Should I use the Mandatory Access Control of SE-Linux on Dom0 to keep the policy?
>
>  >>You seem to be using an older version of Xen. Is there any possibility to 
>  >>move to 3.3.0?
>
> When I tried xsm, Xen3.2.1 was the latest stable version. 
> I will move to 3.3.0.
>
> -----
> suzaki
>
>  >>>  >>
>  >>>  >>Cheers,
>  >>>  >>Dilshan
>  >>>  >>
>  >>>  >>> ------
>  >>>  >>> suzaki
>  >>>  >>>
>  >>>  >>>  >>From: Dilshan Jayarathna <dilshan.jayarathna@mq.edu.au>
>  >>>  >>>  >>Subject: Re: [Xen-devel] [XSM] Setting of ACM Policy
>  >>>  >>>  >>
>  >>>  >>>  >>Hi Suzaki,
>  >>>  >>>  >>
>  >>>  >>>  >>It looks like a faulty build. (I could be wrong)
>  >>>  >>>  >>If you've set ACM_SECURITY ?= y in Config.mk when you 
>  >>> building xen, you 
>  >>>  >>>  >>must get ACM as the supported security subsystem when you run 
>  >>'xm 
>  >>>  >>>  >>getpolicy'.
>  >>>  >>>  >>
>  >>>  >>>  >>If you just run 'xm setpolicy', you should get error but it 
>  >>> also tells 
>  >>>  >>>  >>you the supported policy type
>  >>>  >>>  >>(...The only policytype that is currently supported is 'ACM'...)
>  >>>  >>>  >>
>  >>>  >>>  >>You can use xensec_ezpolicy to create a policy in xml 
>  >>> format. Then 'xm 
>  >>>  >>>  >>setpolicy...' to covert xml to binary format and to activate
>  >>> the policy.
>  >>>  >>>  >>
>  >>>  >>>  >>But if the XSM is not build properly, none of the above will 
>  >>work.
>  >>>  >>>  >>
>  >>>  >>>  >>Hope this helps.
>  >>>  >>>  >>
>  >>>  >>>  >>Cheers,
>  >>>  >>>  >>Dilshan
>  >>>  >>>  >>
>  >>>  >>>  >>Kuniyasu Suzaki wrote:
>  >>>  >>>  >>> Hello,
>  >>>  >>>  >>>
>  >>>  >>>  >>> Please tell me how to setup ACM of XSM.
>  >>>  >>>  >>> I could build a XSM but it doesn't work well.
>  >>>  >>>  >>>   # xm getpolicy
>  >>>  >>>  >>>   Supported security subsystems: None
>  >>>  >>>  >>>
>  >>>  >>>  >>> I guess it is caused by the lack of a policy file.
>  >>>  >>>  >>> I referred the following manual and tried to create poly file. 
>  >>
>  >>>  >>>  >>>   
>  >>http://www.cl.cam.ac.uk/research/srg/netos/xen/readmes/user.pdf
>  >>>  >>>  >>>
>  >>>  >>>  >>> The manual tells that the following command create a policy 
>  >>file
>  >>>  >>>  >>> "mytest.bin".
>  >>>  >>>  >>>   # xm setpolicy ACM mytest
>  >>>  >>>  >>>
>  >>>  >>>  >>> However the command doesn't work well. Please tell me 
>  >>> create a policy file. 
>  >>>  >>>  >>> I tried on Xen 3.2.1. Is the step obsolete?
>  >>>  >>>  >>>
>  >>>  >>>  >>> ------
>  >>>  >>>  >>> suzaki
>  >>>  >>>  >>>
>  >>>  >>>  >>> _______________________________________________
>  >>>  >>>  >>> Xen-devel mailing list
>  >>>  >>>  >>> Xen-devel@lists.xensource.com
>  >>>  >>>  >>> http://lists.xensource.com/xen-devel
>  >>>  >>>  >>> 
>  >>>  >>>
>  >>>  >>> _______________________________________________
>  >>>  >>> Xen-devel mailing list
>  >>>  >>> Xen-devel@lists.xensource.com
>  >>>  >>> http://lists.xensource.com/xen-devel
>  >>>  >>> 
>  >>>  >>
>  >>>  >>_______________________________________________
>  >>>  >>Xen-devel mailing list
>  >>>  >>Xen-devel@lists.xensource.com
>  >>>  >>http://lists.xensource.com/xen-devel
>  >>>  >>
>  >>> 
>  >>> _______________________________________________
>  >>> Xen-devel mailing list
>  >>> Xen-devel@lists.xensource.com
>  >>> http://lists.xensource.com/xen-devel
>
>
>
> ------------------------------
>
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel
>
>
> End of Xen-devel Digest, Vol 43, Issue 10
> *****************************************
>